You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
arm/CUDly-CrossSubscription/template.json (customer ARM onboarding template)
Even with the shared Terraform module introduced by PR #744, the ARM JSON file still duplicates the actions list and must be updated manually whenever actions are added or removed. There is currently no CI guard that fails when one source changes without the other.
Impact
Drift between the Terraform module and the ARM template would cause different permission sets for customers who onboard via ARM (the documented path) versus those who onboard via Terraform. This is a latent correctness issue, not a security issue.
Proposed Fix Options
Pick one:
a. tflint custom rule or unit test that diffs arm/CUDly-CrossSubscription/template.json's actions list against terraform/modules/iam/azure/cudly-reservation-role/main.tf.
b. Generate the ARM template from the Terraform source via a script that runs in CI (HCL -> ARM JSON), making the Terraform module the single source of truth.
c. CI path guard: fail the build when either file changes without the other (e.g. a paths-filter job in GitHub Actions).
Notes
Not urgent - drift only matters when actions are added to or removed from the role definition. The current action list is correct in both files as of PR #744.
Summary
The CUDly Azure custom role action list lives in three places:
terraform/modules/iam/azure/cudly-reservation-role/main.tf(shared Terraform module, added in PR fix(iac/azure): custom role grants Microsoft.Capacity/reservationOrders/purchase/action #744)arm/CUDly-CrossSubscription/template.json(customer ARM onboarding template)Even with the shared Terraform module introduced by PR #744, the ARM JSON file still duplicates the actions list and must be updated manually whenever actions are added or removed. There is currently no CI guard that fails when one source changes without the other.
Impact
Drift between the Terraform module and the ARM template would cause different permission sets for customers who onboard via ARM (the documented path) versus those who onboard via Terraform. This is a latent correctness issue, not a security issue.
Proposed Fix Options
Pick one:
a. tflint custom rule or unit test that diffs
arm/CUDly-CrossSubscription/template.json's actions list againstterraform/modules/iam/azure/cudly-reservation-role/main.tf.b. Generate the ARM template from the Terraform source via a script that runs in CI (HCL -> ARM JSON), making the Terraform module the single source of truth.
c. CI path guard: fail the build when either file changes without the other (e.g. a
paths-filterjob in GitHub Actions).Notes
Not urgent - drift only matters when actions are added to or removed from the role definition. The current action list is correct in both files as of PR #744.